generated from NHSDigital/nhs-notify-repository-template
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
702a62a
commit 42e6378
Showing
49 changed files
with
1,170 additions
and
0 deletions.
There are no files selected for viewing
Empty file.
Empty file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,60 @@ | ||
### Terraform ### | ||
|
||
# Transient backends | ||
components/**/backend_tfscaffold.tf | ||
|
||
# Compiled files | ||
**/*.tfstate | ||
**/*.tfplan | ||
**/*.tfstate.backup | ||
**/.terraform | ||
**/.terraform.lock.hcl | ||
**/.terraform/* | ||
**/build/* | ||
**/work/* | ||
**/*tfstate.lock.info | ||
|
||
# Scaffold Plugin Cache | ||
plugin-cache/* | ||
|
||
# PyCache | ||
**/__pycache__ | ||
|
||
### OSX ### | ||
**/.DS_Store | ||
**/.AppleDouble | ||
**/.LSOverride | ||
|
||
# Icon must end with two \r | ||
Icon | ||
|
||
# Thumbnails | ||
._* | ||
|
||
# Files that might appear in the root of a volume | ||
.DocumentRevisions-V100 | ||
.fseventsd | ||
.Spotlight-V100 | ||
.TemporaryItems | ||
.Trashes | ||
.VolumeIcon.icns | ||
|
||
# Directories potentially created on remote AFP share | ||
.AppleDB | ||
.AppleDesktop | ||
Network Trash Folder | ||
Temporary Items | ||
.apdisk | ||
|
||
*.swp | ||
.nyc_output | ||
|
||
# VS Code | ||
.vscode | ||
|
||
# IntelliJ Idea | ||
.idea | ||
**/*.iml | ||
|
||
# js | ||
node_modules |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
latest:^1.8 |
44 changes: 44 additions & 0 deletions
44
infrastructure/terraform/components/acct/locals_tfscaffold.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,44 @@ | ||
locals { | ||
terraform_state_bucket = format( | ||
"%s-tfscaffold-%s-%s", | ||
var.project, | ||
var.aws_account_id, | ||
var.region, | ||
) | ||
|
||
csi = replace( | ||
format( | ||
"%s-%s-%s", | ||
var.project, | ||
var.environment, | ||
var.component, | ||
), | ||
"_", | ||
"", | ||
) | ||
|
||
# CSI for use in resources with a global namespace, i.e. S3 Buckets | ||
csi_global = replace( | ||
format( | ||
"%s-%s-%s-%s-%s", | ||
var.project, | ||
var.aws_account_id, | ||
var.region, | ||
var.environment, | ||
var.component, | ||
), | ||
"_", | ||
"", | ||
) | ||
|
||
default_tags = merge( | ||
var.default_tags, | ||
{ | ||
Project = var.project | ||
Environment = var.environment | ||
Component = var.component | ||
Group = var.group | ||
Name = local.csi | ||
}, | ||
) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
output "dns_zone" { | ||
value = { | ||
id = aws_route53_zone.main.id | ||
name = aws_route53_zone.main.name | ||
nameservers = aws_route53_zone.main.name_servers | ||
} | ||
} | ||
|
||
output "github_pat_ssm_param_name" { | ||
value = aws_ssm_parameter.github_pat.name | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
provider "aws" { | ||
region = var.region | ||
|
||
allowed_account_ids = [ | ||
var.aws_account_id, | ||
] | ||
|
||
default_tags { | ||
tags = local.default_tags | ||
} | ||
} | ||
|
||
provider "aws" { | ||
alias = "us-east-1" | ||
region = "us-east-1" | ||
|
||
default_tags { | ||
tags = local.default_tags | ||
} | ||
|
||
allowed_account_ids = [ | ||
var.aws_account_id, | ||
] | ||
} |
3 changes: 3 additions & 0 deletions
3
infrastructure/terraform/components/acct/route53_delegation_set.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
resource "aws_route53_delegation_set" "main" { | ||
reference_name = "iam.${var.root_domain_name}" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
resource "aws_route53_zone" "main" { | ||
name = "iam.${var.root_domain_name}" | ||
|
||
delegation_set_id = aws_route53_delegation_set.main.id | ||
} |
16 changes: 16 additions & 0 deletions
16
infrastructure/terraform/components/acct/ssm_parameter_github_pat.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
resource "aws_ssm_parameter" "github_pat" { | ||
name = "/${local.csi}/github_pat" | ||
description = "A GitHub PAT token for settings up AWS Amplify. This is only used at initial setup of the service" | ||
type = "SecureString" | ||
value = try(var.initial_cli_secrets_provision_override.github_pat, "UNSET") | ||
|
||
lifecycle { | ||
ignore_changes = [value] | ||
} | ||
} | ||
|
||
# This can be set at provision time like: | ||
# PARAM_OBJECT=$(jq -n \ | ||
# --arg github_pat "github_pat_123abc" \ | ||
# '{github_pat:$github_pat}' | jq -R) | ||
# .bin/terraform <args> .. -a apply -- -var="initial_cli_secrets_provision_override=${PARAM_OBJECT}" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,66 @@ | ||
## | ||
# Basic Required Variables for tfscaffold Components | ||
## | ||
|
||
variable "project" { | ||
type = string | ||
description = "The name of the tfscaffold project" | ||
} | ||
|
||
variable "environment" { | ||
type = string | ||
description = "The name of the tfscaffold environment" | ||
} | ||
|
||
variable "aws_account_id" { | ||
type = string | ||
description = "The AWS Account ID (numeric)" | ||
} | ||
|
||
variable "region" { | ||
type = string | ||
description = "The AWS Region" | ||
} | ||
|
||
variable "group" { | ||
type = string | ||
description = "The group variables are being inherited from (often synonmous with account short-name)" | ||
} | ||
|
||
## | ||
# tfscaffold variables specific to this component | ||
## | ||
|
||
# This is the only primary variable to have its value defined as | ||
# a default within its declaration in this file, because the variables | ||
# purpose is as an identifier unique to this component, rather | ||
# then to the environment from where all other variables come. | ||
variable "component" { | ||
type = string | ||
description = "The variable encapsulating the name of this component" | ||
default = "acct" | ||
} | ||
|
||
variable "default_tags" { | ||
type = map(string) | ||
description = "A map of default tags to apply to all taggable resources within the component" | ||
default = {} | ||
} | ||
|
||
## | ||
# Variables specific to the "dnsroot"component | ||
## | ||
|
||
variable "root_domain_name" { | ||
type = string | ||
description = "The service's root DNS root nameespace, like nonprod.nhsnotify.national.nhs.uk" | ||
default = "nonprod.nhsnotify.national.nhs.uk" | ||
} | ||
|
||
variable "initial_cli_secrets_provision_override" { | ||
type = map(string) | ||
description = "A map of default value to intialise SSM secret values with. Only useful for initial setup of the account due to lifecycle rules." | ||
default = {} | ||
# Usage like: | ||
# ... -a apply -- -var initial_cli_secrets_provision_override={\"github_pat\":\"l0ngstr1ng"} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
terraform { | ||
required_providers { | ||
aws = { | ||
source = "hashicorp/aws" | ||
version = "~> 5.50" | ||
} | ||
} | ||
|
||
required_version = ">= 1.8.1, < 1.9.0" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
latest:^1.8 |
14 changes: 14 additions & 0 deletions
14
infrastructure/terraform/components/iam/acm_certificate.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
# resource "aws_acm_certificate" "main" { | ||
# # https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cnames-and-https-requirements.html#https-requirements-certificate-issuer | ||
# domain_name = "${local.csi}.${aws_route53_zone.main.name}" | ||
# validation_method = "DNS" | ||
|
||
# lifecycle { | ||
# create_before_destroy = true | ||
# } | ||
# } | ||
|
||
# resource "aws_acm_certificate_validation" "main" { | ||
# certificate_arn = aws_acm_certificate.main.arn | ||
# validation_record_fqdns = [for record in aws_route53_record.validation : record.fqdn] | ||
# } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
resource "aws_amplify_app" "main" { | ||
name = local.csi | ||
repository = "https://github.com/NHSDigital/nhs-notify-iam-webauth" | ||
access_token = data.aws_ssm_parameter.github_pat_ssm_param_name.value | ||
|
||
iam_service_role_arn = aws_iam_role.amplify.arn | ||
|
||
enable_auto_branch_creation = false | ||
enable_branch_auto_build = var.enable_amplify_branch_auto_build | ||
platform = "WEB_COMPUTE" | ||
|
||
auto_branch_creation_patterns = [ | ||
"*", | ||
"*/**" | ||
] | ||
|
||
environment_variables = { | ||
USER_POOL_ID = aws_cognito_user_pool.main.id | ||
HOSTED_LOGIN_DOMAIN = aws_cognito_user_pool.main.domain | ||
NOTIFY_GROUP = var.group | ||
NOTIFY_ENVIRONMENT = var.environment | ||
NOTIFY_DOMAIN_NAME = local.acct.dns_zone["name"] | ||
} | ||
} |
10 changes: 10 additions & 0 deletions
10
infrastructure/terraform/components/iam/amplify_domain_association.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
resource "aws_amplify_domain_association" "domain" { | ||
app_id = aws_amplify_app.main.id | ||
domain_name = local.acct.dns_zone["name"] | ||
enable_auto_sub_domain = false | ||
|
||
sub_domain { | ||
branch_name = module.amplify_branch.name | ||
prefix = "" | ||
} | ||
} |
5 changes: 5 additions & 0 deletions
5
infrastructure/terraform/components/iam/cloudwatch_log_group_amplify.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
resource "aws_cloudwatch_log_group" "amplify" { | ||
name = "/aws/amplify/${local.csi}" | ||
retention_in_days = var.log_retention_in_days | ||
kms_key_id = module.kms.key_arn | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
resource "aws_cognito_user_pool" "main" { | ||
name = local.csi | ||
|
||
username_attributes = ["email"] | ||
|
||
admin_create_user_config { | ||
allow_admin_create_user_only = true | ||
} | ||
} |
26 changes: 26 additions & 0 deletions
26
infrastructure/terraform/components/iam/cognito_user_pool_client.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
resource "aws_cognito_user_pool_client" "main" { | ||
name = local.csi | ||
user_pool_id = aws_cognito_user_pool.main.id | ||
|
||
callback_urls = flatten([ | ||
var.cognito_user_pool_additional_callback_urls, | ||
[ | ||
"https://${local.csi}.${var.root_domain_name}/auth/", | ||
"https://${local.csi}.${aws_amplify_app.main.id}.amplifyapp.com/auth/" | ||
] | ||
]) | ||
|
||
supported_identity_providers = flatten([ | ||
var.enable_cognito_built_in_idp ? ["COGNITO"] : [], | ||
# identity_provider_names.provider.provider_name #e.g. auth0 | ||
]) | ||
|
||
allowed_oauth_flows = ["code"] | ||
allowed_oauth_scopes = [ | ||
"openid", | ||
"email", | ||
"phone", | ||
"profile", | ||
"aws.cognito.signin.user.admin" | ||
] | ||
} |
5 changes: 5 additions & 0 deletions
5
infrastructure/terraform/components/iam/cognito_user_pool_domain.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
# resource "aws_cognito_user_pool_domain" "domain" { | ||
# user_pool_id = aws_cognito_user_pool.main.id | ||
# domain = local.acct.dns_zone["name"] | ||
# certificate_arn = aws_acm_certificate.main.arn | ||
# } |
3 changes: 3 additions & 0 deletions
3
infrastructure/terraform/components/iam/data_ssm_parameter_github_pat.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
data "aws_ssm_parameter" "github_pat_ssm_param_name" { | ||
name = local.acct.github_pat_ssm_param_name | ||
} |
Oops, something went wrong.